Presentation is loading. Please wait.

Presentation is loading. Please wait.

DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar.

Published byFrederica Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar."— Presentation transcript:

1 DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar Reddy, Gonzalo Salgueiro, Victor Pascual 1

2 Agenda B2BUA modes and possible MITM attacks 2

3 B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 3

4 Legitimate Media Relay  Media  Forwards packets without inspection or modification  Only modifies the L3 and L4 headers  Signaling  It MUST forward the received certificate fingerprint without any modifications 4

5 Malicious Media Relay  Media  Forwards packets with inspection or modification  Signaling  Modifies the certificate fingerprint and signals its own fingerprint 5

6 Possible Mitigation  Mandate authenticated identity management in SIP ( draft-ietf-stir- rfc4474bis)  signed-identity-digest carries the signed hash of certificate fingerprint  Mandate Identity headers to be present 6

7 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA here just changes UDP/IP header and does not modify payload INVITE Challenge INVITE Alice atlanta.com bob@biloxy.com 1.Alice calls Bob Authenticated identity management Alice Alice’s Proxy SIP Cloud bob Alice’s B2BUA (Back-to-Back User Agent)

8 B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 8

9 Legitimate Media Aware  Media  Modifies the RTP header  Signaling  Terminates the DTLS connection and acts as a DTLS proxy -Changes the certificate fingerprint and signals its own fingerprint -Decrypts and re-encrypts the payload 9

10 Malicious Media Aware  Media  Inspects or modifies the payload. 10

11 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA changes the RTP header INVITE Challenge INVITE Alice atlanta.com bob@biloxy.com 1.Alice calls Bob B2BUA in the same administrative domain Alice Alice’s Proxy SIP Cloud bob Alice’s B2BUA (Back-to-Back User Agent)

12 Possible mitigations  Option 1> SRTP for cloud services (draft- cheng-srtp-cloud-00) proposes a mechanism where confidentiality and message authentication is independent of the RTP header  Option 2> Trust the B2BUA 12

13 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA changes the RTP header INVITE Challenge INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in different administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to-Back User Agent)

14 Possible mitigation  SRTP for cloud services (draft-cheng-srtp- cloud-00) proposes a mechanism where confidentiality and message authentication is independent of the RTP header 14

15 B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 15

16 Media Terminator  Media terminator modifies the payload  Terminates the DTLS connection, acts as a DTLS proxy -Changes the certificate fingerprint and signals its own fingerprint -Decrypts and re-encrypts the payload 16

17 Possible attacks  Breaks end-to-end security. 17

18 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA modifies the payload INVITE Challenge INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in same administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to-Back User Agent)

19 Possible mitigations  Clients can be configured to maintain the B2BUA server's certificate fingerprints. This way the client is aware that B2BUA is playing the role of a media-proxy. 19

20 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA modifies the payload INVITE Challenge INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in different administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to-Back User Agent)

21 Possible mitigations Discourage media terminator mode. 21

22 Next Steps 22 DTLS-SRTP Handling in SIP B2BUAs

23 Backup 23

24 B2BUA Modes Media Relay - Only changes UDP/IP header- e.g.: topology hiding, privacy Media Aware - relay which can change RTP/RTCP headers- e.g.: monitors RTCP for QoS, mux/demuxes RTP/RTCP on same 5-tuple Media Terminator - Transcoders, Conference Servers 24

Download ppt "DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar."

Similar presentations

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
A “net head” view on SIP Henning Schulzrinne Columbia University IRT Lab Siemens Munich -- January 2003.

A “net head” view on SIP Henning Schulzrinne Columbia University IRT Lab Siemens Munich -- January 2003.
SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)
End-to-End SIP Session-ID at IETF84 draft-jones-insipid-session-id-00 1 August 2012 James Polk, Paul Jones Gonzalo Salgueiro, Chris Pearce.

End-to-End SIP Session-ID at IETF84 draft-jones-insipid-session-id-00 1 August 2012 James Polk, Paul Jones Gonzalo Salgueiro, Chris Pearce.
Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.

Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.
IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933.

IT Expo SECURITY Scott Beer Director, Product Support Ingate
Session-ID Requirements for IETF84 draft-ietf-insipid-session-id-reqts-00 1 August 2012 Paul Jones, Gonzalo Salgueiro, James Polk, Laura Liess, Hadriel.

Session-ID Requirements for IETF84 draft-ietf-insipid-session-id-reqts-00 1 August 2012 Paul Jones, Gonzalo Salgueiro, James Polk, Laura Liess, Hadriel.
Security Data Transmission and Authentication

Security Data Transmission and Authentication
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri
MICE Mobility with ICE draft-wing-mmusic-ice-mobility-02 IETF85 Nov 2012 1 Authors: D.Wing, P. Patil, T. Reddy, P. Martinsen.

MICE Mobility with ICE draft-wing-mmusic-ice-mobility-02 IETF85 Nov Authors: D.Wing, P. Patil, T. Reddy, P. Martinsen.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
March 10, 2008SIPPING WG IETF-711 Secure Media Recording and Transcoding with the Session Initiation Protocol draft-wing-sipping-srtp-key-03 Dan Wing Francois.

March 10, 2008SIPPING WG IETF-711 Secure Media Recording and Transcoding with the Session Initiation Protocol draft-wing-sipping-srtp-key-03 Dan Wing Francois.
B2BUA – A New Type of SIP Server Name: Stephen Cipolli Title: System Architect Date: Feb. 12, 2004.

B2BUA – A New Type of SIP Server Name: Stephen Cipolli Title: System Architect Date: Feb. 12, 2004.

Similar presentations

Ads by Google